IN THE CLAIMS 



This listing of claims will replace all prior versions, and listings, of claims in the 
application: 
Listing of Claims: 

1. 1-2 (Canceled) 

2. (Canceled) 

3. (Currently Amended)-A method for analyzing a logfile produced by a computer 
network security system, comprising: 

providing a regular expression query associated with a pattern to be searched for in the 
logfile; and 

using the query to search for the pattern in the logfile; 

wherein the pattern is associated with a possibl e sgid exploit and using the query to 
search for the pattern includes searching for entries showing that a process has been started by a 
sgid process with effective group ID equal to zero and group ID (gid) not equal to zero . 

4. (Original) The method as recited in claim 3, wherein using the query to search for 
the pattern further includes storing a process ID of the process, and searching for processes with 
a parent process ID equal to the stored process ID. 

5-8. (Canceled) 

9. (Currently Amended) A method for analyzing a logfile produced by a computer 
network security system, comprising: 

providing a regular expression query associated with a pattern to be searched for in the 
logfile; and 

using the query to search for the pattern in the logfile; 

wherein the pattern is associated with a possibl e sgid exploit , the pattern is associated 
with processes spawned by a shell, and using the query to search for the pattern includes 
searching for entries showing that the shell has started a process, storing a process ID of the 
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process, and searching for entries showing processes with parent process ID equal to the stored 
process ID; 

wherein the shell comprises a sgid process with effective group ID equal to zero and 
group ED (gid) not equal to zero . 

10 -28 (Canceled) 

29, (Currently Amended) A system for analyzing a logfile produced by a computer 
network security system, comprising: 

a storage including a regular expression query associated with a pattern to be searched for 
in the logfile; and 

a processor configured to use the query to search for the pattern in the logfile; 

wherein the pattern is associated with a possible sgid exploit and the processor is further 
configured to search for entries showing that a process has been started by a sgid process with 
effective group ED equal to zero and group ID (gid) not equal to zero . 

30 (Original) The system as recited in claim 29, wherein the processor is further 
configured to store a process ID of the process, and search for processes with a parent process ID 
equal to the stored process ID. 

31-34 (Canceled) 

35. (Currently Amended) A computer program product for analyzing a logfile 
produced by a computer network security system, comprising a computer usable medium having 
machine readable code embodied therein for 

providing a regular expression query associated with a pattern to be searched for in the 
logfile; and 

using the query to search for the pattern in the logfile; 

wherein the pattern is associated with a possibl e sgid exploit and using the query to 
search for the pattern includes searching for entries showing that a process has been started by a 
sgid process with effective group ID equal to zero and group ID (gid) not equal to zero . 

36-41 (Canceled) 
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